Monday, August 29, 2011

AD : Displaying the SPN


SPN stands for Service Principal Name – used (among others) by Kerberos.

Normally, you work with them via the Setspn tool.


setspn –l <account name>

which lists all spns assigned to that account.

However, you can also do this by:

Start – Administrative Tools – Active Directory Users and Computers – View – Advanced Features

Then navigate to the account via the tree. Right click – Properties – Attribute Editor tab. Then scroll down to servicePrincipalName and double-click.

You can add and remove SPN’s from this window as well. (i.e. the equivalent of setspn –a … or setspn –d …).


Monday, August 22, 2011

WIF : The pipe endpoint 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' could not be found on your local machine.


If you are using WIF and C2WTS and you get the above error, it’s probably because the C2WTS service is not yet started.

It’s this one in the Services windows (which is in the “Administrative Tools” menu):

“Claims to Windows Token Service”

and the description is:

“Service to convert claims based identities to windows identities”

Note that you must use Windows domain user accounts. These accounts must have a Universal Principal Name (UPN).


Thursday, August 18, 2011

ADFS : Metadata XML won’t display in IE


A number of people have commented on this problem with ADFS v2.0. It seems to be confined to Internet Explorer (IE).

Basically, the problem is that you want to display a site’s metadata so you browse to the URL (the https://xxxx//FederationMetadata/2007-06/FederationMetadata.xml one) and see … zip / nada / nothing / blank. WTF!

Two “solutions” that may help:

  • Use Firefox
  • Toggle the IE compatibility mode.


Wednesday, August 17, 2011

ADFS : Error from “Update from Federation Metadata”


When you’re in ADFS v2.0 and you are trying to update the metadata of a CP or RP, you sometimes get the “An error occurred during an attempt to read the federation metadata” message.

A useful trick is to open a browser and navigate to the URL of the site whose metadata you are attempting to update. If you get any certificate errors, fix them first. ADFS does not like certificate errors. Everything has to be squeaky clean!


Monday, August 15, 2011

IIS : IE missing “Install Certificate” button on “View Certificates”


It’s a common problem with IE. You access a site and get a certificate error and get the pink address bar when you access the site. The solution is to install the certificate into the “Trusted Root CA” certificate store.

You normally do that by clicking the padlock icon to the right of the address bar then “View Certificates” and then clicking the “Install Certificate” button. Lately, I've come across some instances where the button is missing in action. WTF?

Mr. Google to the rescue and the solution is to right-click the IE icon on the desktop and select “Run as administrator”. (In other words, IE needs to be run as Administrator).

And then there was sweetness and light and verily the button doth appear!


Thursday, August 11, 2011

ADFS : Accessing the Windows Internal Database


ADFS either uses SQL Server or an WID to store all the configuration components. I’ve tried before to access the WID with no joy but then discovered that the reason why was because of the completely non-intuitive and obtuse server name which has to be:


Damn, why on earth didn’t I think of that?!

The easiest way to access it is via the free SQL Server Management Studio Express. Ignore all the talk of SQL Server 2005 Express Edition – it works for the WID.

When you connect, leave the “Server Type” as “Database Engine” and insert the above string as the “Server Name”.

Away you go – the two DB of interest are AdfsArtifactStore and ADFSConfiguration.


Monday, August 08, 2011

Kerberos : Some useful tools


Needed to do some work in this area and found the following extremely useful:

KerbTray is a GUI tool used to display ticket information for a given computer running the Kerberos protocol. You can purge all the Kerberos tickets with this.

KList is a DOS prompt tool used to view and delete the Kerberos tickets granted to the current logon session. It allows you to delete selected Kerberos tickets (as opposed to KerbTray which deletes them all).

In terms of debugging, I found Wireshark to be useful to see what happens on the actual wire. You can sort the packets by using the Kerberos protocol as a filter.

The other alternative is to enable Kerberos event logging. Really simple to do – just one registry setting. Just remember to disable it when you are done.

DelegConfig is an ASP.NET application used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegated Kerberos credentials. It can be really useful but has to be setup correctly. Worth running if only to read the comments and explanations.


Wednesday, August 03, 2011

WIF : Displaying WIF trace files


Trace or log files are very useful to help you find problems with WIF.

I normally add the following to the end of the web.config.

      <source name="Microsoft.IdentityModel" switchValue="Verbose">
          <add name="xml" type="System.Diagnostics.XmlWriterTraceListener"
               initializeData="xxx\Logs\WIF.xml" />
    <trace autoflush="true" />


This produces a ton of output in XML format but it's not that easy to read it!

The trick is to use the Service Trace Viewer Tool.

See Examining WCF Diagnostic Traces Using Service Trace Viewer Tool for download instructions.

Run up the tool (you may need to run as administrator), then File / Open with the file type set to XML and you'll find it so much easier!